alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise SAML Authentication Bypass (CVE-2024-9487)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saml/consume"; fast_pattern; http.cookie; content:"saml_csrf_token|3d|"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response|20|"; startswith; content:"|3c 2f|ds|3a|KeyInfo|3e 3c|ds|3a|Object"; distance:0; content:"|3c|samlp|3a|Response|20|"; distance:0; content:"|3c|saml2|3a|Assertion"; distance:0; content:"|3c|saml2|3a|EncryptedAssertion"; reference:url,projectdiscovery.io/blog/github-enterprise-saml-authentication-bypass; reference:cve,2024-9487; classtype:web-application-attack; sid:2061124; rev:1; metadata:affected_product Github_Enterprise, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_27, cve CVE_2024_9487, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)